Scribd
Upload
34 views

CISSP Study Guide 4th Edition Eric Conrad download

The document is a promotional listing for various CISSP study guides and related materials available for download, including the 4th Edition of the CISSP Study Guide by Eric Conrad. It provides links to additional resources and books designed to assist in preparing for the CISSP certification exam. The content emphasizes the importance of staying updated with the latest knowledge and practices in information security.

Uploaded by

uszkokaute
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
34 views

CISSP Study Guide 4th Edition Eric Conrad download

The document is a promotional listing for various CISSP study guides and related materials available for download, including the 4th Edition of the CISSP Study Guide by Eric Conrad. It provides links to additional resources and books designed to assist in preparing for the CISSP certification exam. The content emphasizes the importance of staying updated with the latest knowledge and practices in information security.

Uploaded by

uszkokaute
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

CISSP Study Guide 4th Edition Eric Conrad pdf

download

https://ebookmeta.com/product/cissp-study-guide-4th-edition-eric-
conrad/

Download more ebook from https://ebookmeta.com


We believe these products will be a great fit for you. Click
the link to download now, or visit ebookmeta.com
to discover even more!

CISSP Cert Guide (Certification Guide) 4th Edition


Robin Abernathy

https://ebookmeta.com/product/cissp-cert-guide-certification-
guide-4th-edition-robin-abernathy/

ISC 2 CISSP Certified Information Systems Security


Professional Official Study Guide 9th Edition Mike
Chapple

https://ebookmeta.com/product/isc-2-cissp-certified-information-
systems-security-professional-official-study-guide-9th-edition-
mike-chapple/

Essential CISSP Exam Guide Updated for the 2018 CISSP


Body of Knowledge 2nd Edition Phil Martin

https://ebookmeta.com/product/essential-cissp-exam-guide-updated-
for-the-2018-cissp-body-of-knowledge-2nd-edition-phil-martin/

The Color of Success Asian Americans and the Origins of


the Model Minority Ellen D. Wu

https://ebookmeta.com/product/the-color-of-success-asian-
americans-and-the-origins-of-the-model-minority-ellen-d-wu/
Hard and Brutal A Forbidden Romance To Go Book 14 1st
Edition S.E. Law & S.C. Adams

https://ebookmeta.com/product/hard-and-brutal-a-forbidden-
romance-to-go-book-14-1st-edition-s-e-law-s-c-adams-2/

Electrodiagnostic Medicine A Practical Approach Nestor


Galvez-Jimenez (Editor)

https://ebookmeta.com/product/electrodiagnostic-medicine-a-
practical-approach-nestor-galvez-jimenez-editor/

Race and Blood in the Iberian World Max S Hering Torres


Editor Maria Elena Martinez Editor David Nirenberg
Editor

https://ebookmeta.com/product/race-and-blood-in-the-iberian-
world-max-s-hering-torres-editor-maria-elena-martinez-editor-
david-nirenberg-editor/

Anger Management For Dummies 3rd Edition Smith Laura L

https://ebookmeta.com/product/anger-management-for-dummies-3rd-
edition-smith-laura-l/

The Art of Clean Code Best Practices to Eliminate


Complexity and Simplify Your Life 1st Edition Christian
Mayer

https://ebookmeta.com/product/the-art-of-clean-code-best-
practices-to-eliminate-complexity-and-simplify-your-life-1st-
edition-christian-mayer/
The Exiled Mark Great Lakes Investigations 8 1st
Edition Philippa Norcross Michael Anderle

https://ebookmeta.com/product/the-exiled-mark-great-lakes-
investigations-8-1st-edition-philippa-norcross-michael-anderle/
®
CISSP Study Guide
This page intentionally left blank
®
CISSP Study Guide
Fourth Edition

Eric Conrad
Backshore Communications, Peaks Island, ME, United States

Seth Misenar
Context Security, LLC, Jackson, MS, United States

Joshua Feldman
Senior Vice President for Security Technology, Radian Group,
Wayne, PA, United States
Syngress is an imprint of Elsevier
50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States
Copyright © 2023 Elsevier Inc. All rights reserved.
CISSP® is a registered certification mark of (ISC)2, Inc
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or any information storage and retrieval
system, without permission in writing from the publisher. Details on how to seek permission, further
information about the Publisher’s permissions policies and our arrangements with organizations
such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our
website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods, professional practices, or medical
treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating
and using any information, methods, compounds, or experiments described herein. In using such
information or methods they should be mindful of their own safety and the safety of others, including
parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume
any liability for any injury and/or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any methods, products, instructions, or
ideas contained in the material herein.
ISBN: 978-0-443-18734-6

For information on all Syngress publications


visit our website at https://www.elsevier.com/books-and-journals

Publisher: Mara E. Conner


Acquisitions Editor: Chris Katsaropoulos
Editorial Project Manager: John Leonard
Production Project Manager: Stalin Viswanathan
Cover Designer: Greg Harris
Typeset by STRAIVE, India
Contents
About the authors ...................................................................................................xix

CHAPTER 1 Introduction........................................................... 1
How to Prepare for the Exam ....................................................... 2
The CISSP® Exam Is a Management Exam............................. 2
The 2021 Update ....................................................................... 2
The Notes Card Approach......................................................... 3
Practice Tests ............................................................................. 3
Read the Glossary...................................................................... 3
Readiness Checklist ................................................................... 4
How to Take the Exam.................................................................. 4
Steps to Becoming a CISSP® .................................................... 4
Computer-Based Testing (CBT) ............................................... 5
CISSP® CAT ............................................................................. 5
Taking the Exam ....................................................................... 6
After the Exam .......................................................................... 9
Good Luck!.................................................................................... 9
References.................................................................................... 10
CHAPTER 2 Domain 1: Security and Risk Management............. 11
Unique Terms and Definitions .................................................... 11
Introduction.................................................................................. 12
Cornerstone Information Security Concepts............................... 12
Confidentiality, Integrity, and Availability............................. 12
Identity and Authentication, Authorization, and
Accountability (AAA) ......................................................... 15
Non-repudiation ....................................................................... 17
Least Privilege and Need to Know ......................................... 17
Subjects and Objects ............................................................... 18
Defense-in-Depth..................................................................... 18
Due Care and Due Diligence .................................................. 19
Legal and Regulatory Issues ....................................................... 19
Compliance With Laws and Regulations................................ 19
Major Legal Systems............................................................... 20
Criminal, Civil, and Administrative Law ............................... 21
Liability.................................................................................... 23
Due Care .................................................................................. 23
Due Diligence .......................................................................... 24

v
vi Contents

Legal Aspects of Investigations .............................................. 24


Intellectual Property ................................................................ 29
Privacy ..................................................................................... 33
International Cooperation ........................................................ 37
Import/Export Restrictions ...................................................... 38
Trans-border Data Flow .......................................................... 38
Important Laws and Regulations ............................................ 39
Ethics ........................................................................................... 42
The (ISC)2® Code of Ethics .................................................... 42
Computer Ethics Institute........................................................ 44
IAB’s Ethics and the Internet.................................................. 45
Information Security Governance ............................................... 45
Security Policy and Related Documents................................. 45
Personnel Security ................................................................... 48
Access Control Defensive Categories and Types ....................... 51
Preventive ................................................................................ 52
Detective .................................................................................. 52
Corrective................................................................................. 52
Recovery .................................................................................. 53
Deterrent .................................................................................. 53
Compensating .......................................................................... 53
Comparing Access Controls .................................................... 53
Risk Analysis ............................................................................... 54
Assets ....................................................................................... 55
Threats and Vulnerabilities ..................................................... 55
Risk = Threat  Vulnerability.................................................. 55
Impact ...................................................................................... 56
Risk Analysis Matrix............................................................... 57
Calculating Annualized Loss Expectancy............................... 57
Total Cost of Ownership ......................................................... 59
Return on Investment .............................................................. 59
Budget and Metrics ................................................................. 60
Risk Response.......................................................................... 61
Quantitative and Qualitative Risk Analysis............................ 63
The Risk Management Process ............................................... 64
Risk Maturity Modeling .......................................................... 65
Security and Third Parties ........................................................... 65
Service Provider Contractual Security .................................... 65
Minimum Security Requirements ........................................... 65
Supply Chain Risk Management............................................. 67
Contents vii

Vendor Governance ................................................................. 68


Acquisitions ............................................................................. 68
Divestitures .............................................................................. 68
Third Party Assessment and Monitoring ................................ 68
Outsourcing and Offshoring .................................................... 69
Types of Attackers....................................................................... 70
Hackers .................................................................................... 70
Script Kiddies .......................................................................... 71
Outsiders .................................................................................. 71
Insiders..................................................................................... 71
Hacktivist ................................................................................. 73
Bots and Botnets...................................................................... 73
Phishers and Spear Phishers .................................................... 74
Summary of Exam Objectives .................................................... 75
Self-Test....................................................................................... 76
Self-Test Quick Answer Key ...................................................... 78
References.................................................................................... 79
CHAPTER 3 Domain 2: Asset Security ..................................... 81
Unique Terms and Definitions .................................................... 81
Introduction.................................................................................. 81
Classifying Data .......................................................................... 82
Labels....................................................................................... 82
Security Compartments ........................................................... 82
Clearance ................................................................................. 83
Formal Access Approval ......................................................... 83
Need to Know.......................................................................... 83
Sensitive Information/Media Security .................................... 84
Ownership and Inventory ............................................................ 84
Asset Inventory........................................................................ 85
Asset Retention........................................................................ 85
Business or Mission Owners ................................................... 85
Data Owners ............................................................................ 86
System Owner.......................................................................... 86
Custodian ................................................................................. 86
Users ........................................................................................ 86
Data Controllers and Data Processors..................................... 87
Data Location .......................................................................... 87
Data Maintenance .................................................................... 88
Data Loss Prevention............................................................... 88
viii Contents

Digital Rights Management..................................................... 88


Cloud Access Security Brokers............................................... 89
Data Collection Limitation...................................................... 90
Memory and Remanence............................................................. 91
Data Remanence ...................................................................... 91
Memory.................................................................................... 91
Data Destruction .......................................................................... 94
Overwriting .............................................................................. 95
Degaussing............................................................................... 95
Destruction............................................................................... 95
Shredding ................................................................................. 96
Determining Data Security Controls........................................... 96
Certification and Accreditation ............................................... 96
Standards and Control Frameworks ........................................ 97
Scoping and Tailoring ........................................................... 100
Data States ............................................................................. 100
Summary of Exam Objectives .................................................. 102
Self-Test..................................................................................... 102
Self-Test Quick Answer Key .................................................... 104
References.................................................................................. 105
CHAPTER 4 Domain 3: Security Architecture and Engineering .... 107
Unique Terms and Definitions .................................................. 107
Introduction................................................................................ 108
Secure Design Principles........................................................... 108
Threat Modeling .................................................................... 108
Least Privilege and Defense-in-Depth .................................. 109
Secure Defaults...................................................................... 109
Privacy by Design.................................................................. 109
Fail Securely .......................................................................... 110
Separation of Duties (SoD) ................................................... 110
Keep It Simple....................................................................... 110
Trust, but Verify .................................................................... 111
Zero Trust .............................................................................. 111
Security Models ......................................................................... 113
Reading Down and Writing Up ............................................ 113
State Machine Model............................................................. 114
Bell-LaPadula Model............................................................. 115
Lattice-Based Access Controls.............................................. 115
Integrity Models .................................................................... 116
Contents ix

Information Flow Model ....................................................... 118


Chinese Wall Model .............................................................. 118
Non-interference .................................................................... 118
Take-Grant ............................................................................. 119
Access Control Matrix........................................................... 119
Zachman Framework for Enterprise Architecture ................ 120
Graham-Denning Model........................................................ 120
Harrison-Ruzzo-Ullman Model ............................................. 121
Evaluation Methods, Certification, and Accreditation ............. 121
The International Common Criteria ...................................... 121
Secure System Design Concepts ............................................... 122
Layering ................................................................................. 123
Abstraction............................................................................. 123
Security Domains .................................................................. 123
The Ring Model..................................................................... 124
Open and Closed Systems ..................................................... 125
Secure Hardware Architecture .................................................. 125
The System Unit and Motherboard....................................... 125
The Computer Bus................................................................. 126
The CPU ................................................................................ 127
Memory Protection ................................................................ 130
Trusted Platform Module ...................................................... 132
Data Execution Prevention and Address Space Layout
Randomization ................................................................... 133
Secure Operating System and Software Architecture .............. 134
The Kernel ............................................................................. 134
Users and File Permissions ................................................... 135
Virtualization, Cloud, and Distributed Computing................... 137
Virtualization ......................................................................... 138
Cloud Computing .................................................................. 139
Microservices, Containers, and Serverless............................ 141
High-Performance Computing (HPC) and Grid
Computing ......................................................................... 144
Peer-to-Peer ........................................................................... 145
Thin Clients ........................................................................... 145
Embedded Systems and The Internet of Things (IoT) ......... 146
Distributed Systems and Edge Computing Systems............. 147
Industrial Control Systems (ICS) .......................................... 148
System Vulnerabilities, Threats, and Countermeasures ........... 149
Emanations............................................................................. 149
x Contents

Covert Channels .................................................................... 149


Backdoors .............................................................................. 150
Malicious Code (Malware).................................................... 150
Server-Side Attacks ............................................................... 152
Client-Side Attacks................................................................ 153
Web Architecture and Attacks .............................................. 153
Database Security .................................................................. 156
Countermeasures.................................................................... 158
Mobile Device Attacks .......................................................... 158
Cornerstone Cryptographic Concepts ....................................... 159
Key Terms ............................................................................. 159
Confidentiality, Integrity, Authentication, and
Non-repudiation ................................................................. 160
Confusion, Diffusion, Substitution, and Permutation ........... 160
Cryptographic Strength.......................................................... 161
Monoalphabetic and Polyalphabetic Ciphers........................ 161
Modular Math ........................................................................ 162
Exclusive Or (XOR) .............................................................. 162
Data at Rest and Data in Motion .......................................... 163
Protocol Governance ............................................................. 163
Types of Cryptography.............................................................. 163
Symmetric Encryption........................................................... 163
Asymmetric Encryption......................................................... 171
Quantum Encryption.............................................................. 173
Hash Functions ...................................................................... 174
Cryptographic Attacks ............................................................... 176
Brute Force ............................................................................ 176
Social Engineering................................................................. 176
Rainbow Tables ..................................................................... 176
Known Plaintext .................................................................... 178
Chosen Plaintext and Adaptive Chosen Plaintext ................ 178
Chosen Ciphertext and Adaptive Chosen Ciphertext ........... 178
Meet-in-the-Middle Attack.................................................... 178
Known Key............................................................................ 179
Differential Cryptanalysis...................................................... 179
Linear Cryptanalysis.............................................................. 179
Implementation Attacks......................................................... 179
Side-Channel Attacks ............................................................ 180
Fault Injection Attacks .......................................................... 181
Ransomware........................................................................... 181
Contents xi

Birthday Attack...................................................................... 181


Key Clustering ....................................................................... 182
Implementing Cryptography...................................................... 182
Digital Signatures .................................................................. 182
Message Authenticate Code .................................................. 183
HMAC.................................................................................... 183
Public Key Infrastructure ...................................................... 184
SSL and TLS ......................................................................... 185
IPsec....................................................................................... 186
PGP ........................................................................................ 187
S/MIME ................................................................................. 187
Escrowed Encryption............................................................. 188
Steganography ....................................................................... 188
Perimeter Defenses .................................................................... 189
Fences .................................................................................... 189
Gates ...................................................................................... 189
Bollards .................................................................................. 190
Lights ..................................................................................... 190
CCTV..................................................................................... 191
Locks...................................................................................... 192
Smart Cards and Magnetic Stripe Cards............................... 196
Tailgating/Piggybacking........................................................ 198
Mantraps and Turnstiles ........................................................ 198
Contraband Checks................................................................ 198
Motion Detectors and Other Perimeter Alarms .................... 199
Doors and Windows .............................................................. 200
Walls, Floors, and Ceilings ................................................... 200
Guards .................................................................................... 201
Dogs ....................................................................................... 201
Restricted Work Areas and Escorts ...................................... 202
Site Selection, Design, and Configuration................................ 202
Site Selection Issues .............................................................. 202
Site Design and Configuration Issues ................................... 203
System Defenses........................................................................ 205
Asset Tracking ....................................................................... 205
Port Controls.......................................................................... 205
Environmental Controls............................................................. 206
Electricity............................................................................... 206
HVAC .................................................................................... 208
Heat, Flame, and Smoke Detectors....................................... 209
xii Contents

Personnel Safety, Training, and Awareness.......................... 210


ABCD Fires and Suppression ............................................... 211
Types of Fire Suppression Agents ........................................ 212
Summary of Exam Objectives .................................................. 217
Self-Test..................................................................................... 218
Self-Test Quick Answer Key .................................................... 220
References.................................................................................. 221
CHAPTER 5 Domain 4: Communication and Network
Security ............................................................ 225
Unique Terms and Definitions .................................................. 225
Introduction................................................................................ 225
Network Architecture and Design............................................. 226
Network Defense-in-Depth.................................................... 226
Fundamental Network Concepts ........................................... 226
The OSI Model ...................................................................... 228
The TCP/IP Model ................................................................ 230
Encapsulation......................................................................... 232
Network Access, Internet, and Transport Layer
Protocols and Concepts ..................................................... 232
Application Layer TCP/IP Protocols and Concepts ............. 248
Transmission Media .............................................................. 252
LAN Technologies and Protocols ......................................... 254
LAN Physical Network Topologies ...................................... 256
WAN Technologies and Protocols........................................ 257
Converged Protocols.............................................................. 259
Micro-segmentation ............................................................... 262
Wireless Local Area Networks ............................................. 264
ZigBee.................................................................................... 267
Li-Fi ....................................................................................... 268
RFID ...................................................................................... 268
Cellular Networks.................................................................. 269
Satellite .................................................................................. 269
Secure Network Devices and Protocols .................................... 270
Repeaters and Hubs ............................................................... 270
Bridges ................................................................................... 270
Switches ................................................................................. 271
Network Taps......................................................................... 273
Routers ................................................................................... 274
Modem ................................................................................... 278
Contents xiii

DTE/DCE and CSU/DSU...................................................... 278


Operation of Hardware .......................................................... 278
Secure Communications ............................................................ 279
Authentication Protocols and Frameworks ........................... 279
VPN........................................................................................ 282
Remote Access ...................................................................... 284
Summary of Exam Objectives .................................................. 289
Self-Test..................................................................................... 289
Self-Test Quick Answer Key .................................................... 291
References.................................................................................. 292
CHAPTER 6 Domain 5: Identity and Access Management (IAM) .... 295
Unique Terms and Definitions .................................................. 295
Introduction................................................................................ 295
Authentication Methods ............................................................ 296
Type 1 Authentication: Something You Know .................... 296
Type 2 Authentication: Something You Have...................... 304
Type 3 Authentication: Something You Are ........................ 306
Someplace You Are............................................................... 311
Access Control Technologies .................................................... 311
Centralized Access Control ................................................... 311
Decentralized Access Control ............................................... 311
Single Sign-On (SSO) ........................................................... 312
Federated Identity Management............................................ 313
Identity as a Service (IDaaS) ................................................ 314
Federated Identity with a Third-Party Service...................... 315
Credential Management Systems .......................................... 316
LDAP ..................................................................................... 316
Kerberos................................................................................. 317
Access Control Protocols and Frameworks .......................... 321
Access Control Models.............................................................. 323
Discretionary Access Controls (DAC) .................................. 323
Mandatory Access Controls (MAC) ..................................... 324
Role-Based Access Control................................................... 324
Rule-Based Access Controls ................................................. 325
Attribute-Based Access Control (ABAC) ............................. 325
Risk-Based Access Control ................................................... 326
Identity and Access Provisioning Lifecycle ............................. 327
Registration, Proofing, and Establishment of Identity.......... 327
Role Definition ...................................................................... 328
xiv Contents

Provisioning and Deprovisioning .......................................... 328


Just-In-Time (JIT).................................................................. 329
Account Access Review ........................................................ 329
Privilege Escalation ............................................................... 330
Summary of Exam Objectives .................................................. 331
Self-Test..................................................................................... 332
Self-Test Quick Answer Key .................................................... 334
References.................................................................................. 334
CHAPTER 7 Domain 6: Security Assessment and Testing........ 337
Unique Terms and Definitions .................................................. 337
Introduction................................................................................ 337
Security Control Testing ........................................................... 338
Internal, External, Employee, and Third-Party Testing........ 338
Penetration Testing ................................................................ 338
Breach Attack Simulations.................................................... 340
Vulnerability Assessment ...................................................... 341
Security Audits ...................................................................... 341
Security Assessments............................................................. 341
Log Reviews .......................................................................... 342
Compliance Checks ............................................................... 344
Synthetic Transactions........................................................... 345
Application Security Testing................................................. 345
Traceability Matrix ................................................................ 348
Misuse Case Testing.............................................................. 349
Test Coverage Analysis......................................................... 349
Interface Testing .................................................................... 349
Analyze and Report Test Outputs ......................................... 350
Collecting Security Process Data .............................................. 350
Account Management............................................................ 351
Management Review and Approval...................................... 351
Key Performance and Risk Indicators .................................. 352
Backup Verification Data...................................................... 353
Tracking Training and Awareness ........................................ 353
Summary of Exam Objectives .................................................. 353
Self-Test..................................................................................... 354
Self-Test Quick Answer Key .................................................... 357
References.................................................................................. 358
Another Random Scribd Document
with Unrelated Content
Project Gutenberg™ eBooks are often created from several printed
editions, all of which are confirmed as not protected by copyright in
the U.S. unless a copyright notice is included. Thus, we do not
necessarily keep eBooks in compliance with any particular paper
edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,


including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how
to subscribe to our email newsletter to hear about new eBooks.

You might also like